Where the United States Goes, the FCA Will Inevitably Follow: Regulatory Action Against the Use of Personal Mobile Devices
The ability to maintain effective and accurate recordkeeping, a key method of ensuring market integrity, has been tested in recent years. The widespread use of personal mobile devices, instant messaging services, and general technological advances has given rise to an important question: Are firms doing enough to ensure employees are complying with legislative requirements to guarantee accurate recordkeeping is maintained and regulatory requirements are met?
LEGISLATION AND AN UPTICK IN ENFORCEMENT
Recently, an increasing number of fines have been handed down by the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). The SEC has issued fines against several financial institutions in relation to violations of Section 17(a) of the Securities Exchange Act of 1934 (the Act) and Rules 17a-4(b)(4) and 17a-4(j). The purpose of the legislation is to regulate the trading of securities of public companies and to promote reporting by issuers whose securities are listed on the U.S. stock market or publicly offered in the United States. The CFTC has also issued fines against a number of financial institutions for related recordkeeping and supervision violations in the Commodity Exchange Act and CFTC Regulations.1
Section 17(a)(1) of the Act enables the SEC to issue rules requiring broker-dealers to create, keep, and furnish copies of records that are either in the public interest or protect investors. Rule 17a-4 specifies the manner and length of time in which the records must be maintained and produced to the SEC, and Rule 17a-4(b)(4) requires that the records be created and preserved in an easily accessible place. This includes originals of all communications received and sent relating to the firm’s business.
The ability to preserve personal communications by firm employees has attracted the attention of the SEC and CFTC. SEC Chair Gary Gensler stated that “as technology changes, it is even more important that registrants ensure that their communications are appropriately recorded and are not conducted outside of official channels in order to avoid market oversight.” The lack of effort by some firms to correctly implement policies and procedures to monitor personal communications has led to an increase in violations of federal securities laws and the subsequent imposition of large fines. It should be noted that the U.S. Department of Justice (the DOJ) has also expressed concern over the use of personal devices and third-party applications, which led to the DOJ issuing guidance via a memorandum in September 2022.2
Earlier this year, the SEC and CFTC handed down fines of nearly US$2 billion to a group of Wall Street giants for failures relating to maintaining and preserving communications. Employees communicated via WhatsApp and other instant messaging services in direct contravention of company policy. Investigations undertaken by the SEC revealed that the relevant firms were unable to provide copies of the off-channel communications to investigators. Director of the SEC’s Enforcement Division, Gurbir S. Grewal, highlighted the importance of accurate recordkeeping, describing it as “sacrosanct.”
The case of JonesTrading Institutional Services LLC (JonesTrading) highlights the difficulty that companies face in preventing business-related correspondence from being conducted via personal devices. JonesTrading strictly prohibited such communications; however, when requested, records provided to the SEC referenced personal communications discussing the business of the firm that were not in fact preserved. The firm was subject to a US$100,000 penalty.3
The actions by the SEC and CFTC are clear: There will be no relief for firms that fail to adequately preserve and produce communications in a way that complies with the Act.
THE FCA TAKES ACTION
Enforcement against firms failing to comply with communication preservation requirements is also on the rise in the United Kingdom. The increase in remote working and widespread usage of instant messaging services has drawn the attention of the Financial Conduct Authority (FCA). Firms must be aware of rule SYSC 10A.1 of the FCA Handbook requiring firms to “take all reasonable steps to prevent an employee or contractor from making, sending, or receiving relevant telephone conversations and electronic communications on privately-owned equipment which the firm is unable to record or copy.” SYSC 10A.1 applies only to communications that relate to the activities in financial instruments referred to in SYSC 10A.1.1R (2), and while the prohibition is broad in scope and may inevitably result in the recording of all communications on work devices for many firms, it is not a complete ban on the use of private devices for business-related matters, subject to individual firm policies.
The influence of the SEC and CFTC is clear and is evidenced by recent announcements by the FCA that they are “actively discussing personal device use with a range of UK authorized firms, not limited to those who may have been subjected to other regulatory enquiries.” The discussions involve many of the same Wall Street giants who were subject to the scrutiny and near US$2 billion fine by the SEC and CFTC. The comments send a warning to firms that the increased scrutiny and requests for communications may become more commonplace. Firms are taking note by taking steps to maintain oversight of employees’ communications, including by requesting that employees install applications to allow calls and instant messages to be tracked for retention purposes and to provide access to all personal devices if used to communicate with any clients or colleagues.
Communications via personal channels and the use of instant messaging services has created difficulties for firms seeking to comply with regulations in both the United States and the United Kingdom. The SEC and CFTC have not hesitated to punish firms for failing to comply with such regulations, and the FCA has taken note. Firms should review procedures relating to the retrieval and storage of employee communications on personal devices and ensure such procedures are regularly updated to guarantee there are no lapses in compliance. It is no longer sufficient for firms to implement recordkeeping policies alone to ensure compliance; firms must diligently supervise their employees.